Harness Docs / Policy-Pack Format

Policy-Pack Format

A policy pack is a signed JSON manifest. It tells the harness what to enforce on agent actions. This page annotates one of the reference packs (pii-block-v1) field by field.

01 / Spec

Canonical specification

The authoritative spec is policy-pack-format.md in the reference repo: github.com/AiEGIS/aiegis-harness/blob/main/policy-pack-format.md. The spec covers manifest shape, field semantics, evaluation order, signature canonicalisation (RFC 8785 JCS), audit-log entry shape, and distribution.

Spec version pinned: ahp-policy-pack/0.1. Reference daemon implementation: harness_core::pack (Rust) and reference-daemon/harness.py (Python).

02 / Annotated example

Annotated: pii-block-v1

Left column: the actual JSON manifest from examples/pii-block.json. Right column: line-by-line annotations. Both columns scroll independently on narrow viewports.

{
  "spec_version": "ahp-policy-pack/0.1",
  "pack_id": "pii-block-v1",
  "pack_name": "Refuse actions containing PII",
  "issuer": "did:web:aiegis.ie",
  "issued_at": "2026-05-25T09:00:00Z",
  "expires_at": "2027-05-25T09:00:00Z",
  "jurisdictions": ["EU", "IE", "UK", "*"],
  "rules": [
    {
      "rule_id": "pii-email",
      "match": {
        "action": "*",
        "fields": [
          "input",
          "context.user_message",
          "context.tool_args",
          "target"
        ]
      },
      "policy": {
        "language": "rego",
        "module": "package aiegis.pii.email\n\ndefault decision := \"ALLOW\"\n\ndecision := \"DENY\" {\n  re_match(`[A-Za-z0-9._%+\\-]+@[A-Za-z0-9.\\-]+\\.[A-Za-z]{2,}`, input.value)\n}"
      },
      "deny_reason": "pii_email_detected",
      "layer": "L3-Compliance"
    },
    {
      "rule_id": "pii-phone-e164",
      "match": { "action": "*", "fields": ["input", "context.user_message", "context.tool_args"] },
      "policy": { "language": "rego", "module": "..." },
      "deny_reason": "pii_phone_detected",
      "layer": "L3-Compliance"
    }
  ],
  "default_decision": "ALLOW",
  "signature": {
    "alg": "EdDSA",
    "kid": "0tyrGMFykIxD4Orn2782_Q",
    "value": "REFERENCE_PACK_NOT_SIGNED_LOCAL_DEV_ONLY"
  }
}

spec_version

Must be "ahp-policy-pack/0.1" for this spec. The daemon refuses packs with an unknown version. Future spec bumps will be additive (new optional fields) until v0.2.

pack_id

Slug. Must match ^[a-z0-9](?:[a-z0-9-]{1,62}[a-z0-9])$. Stable across versions — bump the file content, not the id. Shown in audit-log entries as deciding_pack.

issuer

DID of the signer. did:web:aiegis.ie for AiEGIS-issued packs. Operators MAY issue their own packs under their own DID; the harness verifies against the JWKS at https://<domain>/.well-known/jwks.json.

issued_at / expires_at

RFC 3339. The harness DENYs expired packs (reason: policy_pack_expired). Rollback-protection: a fresh load whose issued_at is older than the locally-cached version is refused.

jurisdictions

ISO 3166 alpha-2 codes, or "*" for "any". Packs are selected when the set intersects the agent's declared jurisdiction.

rules[]

Evaluated in declaration order until a DENY is returned. match.action can be "*", a single action, an array, or a glob ("tool.*"). match.fields is an array of dot-paths into the action payload (defaults to ["input"]).

policy

language is "rego" (preferred) or "jsonlogic". module is the Rego module body (or JSONLogic expression). The reference daemon evaluates Rego via the embedded subset documented in harness_core::eval; full Open Policy Agent compatibility is on the v0.2 roadmap.

deny_reason / layer

deny_reason: short tag returned in the harness response. Convention: <class>_<specific>. layer: which of the AiEGIS 15 layers this rule represents. Convention: L<n>-<Name>. Both surface in the audit log.

default_decision

What the pack returns when no rule fires. Allow-list style packs use "DENY"; deny-list style packs use "ALLOW".

signature

Ed25519 over the canonical JSON (RFC 8785 JCS) with the signature field excluded. alg MUST be "EdDSA" (RFC 8037). The reference pack ships the sentinel value REFERENCE_PACK_NOT_SIGNED_LOCAL_DEV_ONLY — accepted by the local daemon with a warning, refused by the production endpoint.

03 / Evaluation order

How a request is evaluated

  • The daemon selects all loaded packs whose jurisdictions intersect the agent's declared jurisdiction.
  • For each pack, in load order: verify signature against issuer JWKS; verify expires_at; evaluate rules in declaration order until a DENY wins, otherwise WARN, otherwise default_decision.
  • Across packs: any DENY wins. Otherwise any WARN. Otherwise ALLOW.
  • Every evaluation — ALLOW, WARN, or DENY — writes a signed entry to the append-only audit ledger.
04 / Other reference packs

More examples

  • tool-allowlist.json — L4-ScopePolicy. Default DENY for tool.* / function.* / mcp.call; ALLOW only for operator-named allowlist.
  • rate-limit.json — L12-BehaviouralIntelligence. JSONLogic rule capping actions-per-minute per agent identity. Counter sourced from the daemon's sliding-window state.

All three reference packs live at github.com/AiEGIS/aiegis-harness/tree/main/examples.